An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols

1
An Encapsulated Authentication Logic for
Reasoning about Key Distribution Protocols
What you may have understood of Duskos talk
yesterday if he hadnt been speaking so fast
Part I
Catherine Meadows NRL
Dusko Pavlovic Kestrel Institute

• Iliano Cervesato
• Tulane University

Protocol eXchange
June 10, 2005
2
Contributions

• Separate
• Authentication reasoning
• Secrecy reasoning
• Define a logic of pure authentication
• Secrecy as assumptions
• Embed it in derivational framework
• Apply to shared-key server-assisted key
  distribution protocols
• Taxonomy
• Comparative study
• Clear understanding of underlying mechanisms

3
Server-Assisted SharedKey DistributionProtocols
KD0
KD1
KD2
KD3
KD4
http//theory.stanford.edu/iliano/papers/csfw05.p
df
NSSK0
DS
NSSKfix0
NSSKfix1
NSSK1
K4core0
K5core0
NSSKfix
NSSK
K4core
K5core
4
KeyDistributionProtocols
5
Verifying KD Protocols
Historically single monolithic proofs BUT
secrecy and authentication rely on very
different proof methods

• Authentication
• Completing partial order of actions
• Get piping right
• Local reasoning
• Positive inference

• Secrecy
• Secret goes only to intended recipients
• Pipes do not leak
• Global reasoning
• Negative inference

6
Divide et Conquera

• Two coordinated logics
• Logic of authentication
• Relies on secrecy assumptions
• Logic of secrecy
• Relies on authentication assumptions
• Benefits
• Much simpler proofs
• Modularity
• Deeper understanding of
• mechanisms
• properties

7
Describing Protocol Runs

• Principal actions
• ltm A -gt BgtA Send
• (X Y -gt Z)A Receive
• (m/p(x))A match
• (n n)A , (t t)A new nonce, timestamp
• Runs
• Partial order of actions
• Every receive has a send
• Every match has succeeded
• Observations
• Protocols
• Set of parametric roles
• Akin to observations

8
Authentication Logic

• First-Order logic with 3 predicates
• aA action aA has occurred
• aA lt bB aA has occurred before bB
• aA bB aA and bB are the same action
• Nothing else!
• Usage
• Given As observations, extend them with other
  principals actions
• Derive compatible runs
• A ObsA ? F
• A Y ObsA ? F
• Iterated application of axioms

9
Logical Assumptions

• Honesty
• Principal does not deviate from role
• honest S

• Secrecy
• Key uncompromised for given principals
• secret(k, G) ??k m??Xlt ? X ? G (x/k y)X ?
  X ? G

10
Axioms

• Basic truths about domain
• Receive axiom
• Y ((m))A ? ??m??Xlt lt ((m))A
• Challenge-response axiom
• A secret(K, A,B) (n n)A lt ??n??Alt
  lt ((K n))A? (n n)A lt ??n??Alt
  lt ((n))B lt ??K n??Blt lt ((K n))A
• Timestamp axiom
• A honest B ??t??Blt lt
  ((t))A ? (? t)A lt (t t)B lt ??t??Blt lt ((t))A lt (?
  t)A
• Allow inferring new actions/ordering

11
Abstract KeyDistribution
KD0

• S spontaneously
• Generates k
• Sends it to A, B
• A, B hardwired
• Encrypted with KAS, KBS
• A observes only (KAS k)

• A reconstructs run
• Must assume
• honest S
• secret(KAS, A,S)
• Not secret(KBS, B,S)
• Bs reception unknown
• Dual for B

12
Derivational Approach

• Use rules, not just axioms
• Operate on protocol and properties
• Refinements
• Transformations
• Advantages
• Abstract general constructions
• Reuse protocol fragments
• Structured understanding of
• Mechanism
• Properties
• Relations between protocols
• Open-ended taxonomies

13
Key Request
KD1

• A issues request

• A may not be talking to B
• Even if S honest
• Same holds for B

14
Binding
KD2

• S includes names

• A (B) authenticated to B (A)

Similar for B

• Not how typical KD protocols are set up
• S sends to 1 party only

15
Concatenated Relay
KD3

• S sends all to A
• A forwards to B
• Seedling of Kerberos 5

• A knows S sent
• KAS (B,k), KBS (A,k)
• A received
• KAS (B,k), M
• A doesnt know if
• M KBS (A,k)
• Documented anomaly of Kerberos 5

16
Embedded Relay
KD4

• Encrypted ticket
• Basis of
• NSSK
• Denning Sacco
• Kerberos 4

17
Bs Point of View
KD4

• With only
• secret(KBS, B,S)
• knows S generated k
• With also
• secret(KAS, A,S)
• knows A knows k
• A may not be honest

18
Additional Properties

• Recency
• (n k)S bracketed by events controlled by A/B
• Otherwise, intruder can infer k and attack
  protocol
• Even if S is honest
• Not satisfied so far
• Key confirmation
• A/B knows that B/A has k
• Essential for using k
• Only B in KD4 (under assumption)

19
Recency with Nonces

• Use challenge-response as bracket

20
Core NSSK
NSSK0

• (n k)S bounded by (n n)A
• Ensures recency of k to A
• A can reconstruct run up to Bs action

• No such guarantees for B
• Denning-Sacco attack

21
Core NSSK-fix
NSSKfix0
A
S
B
A
n n
KBS(A,n)
n n
n,A,B, KBS(A,n)

• Same device for B
• Complications
• Keeping A as initiator
• Sending n to A
• Achieves recency for B too
• Complicated

n k
KAS(n,B,k,KBS(A,k,n))
KBS(A,k,n)
22
Key Confirmation
NSSK1
A
S
B
n n
n,A,B
n k
KAS(n,B,k,KBS(A,k))

• B knows A has k
• B tells A he has k bysending agreed message

KBS(A,k)
k m
ExtendstoNSSK-fix
23
NSSK does more!
NSSK
A
S
B
n n
n,A,B
n k
KAS(n,B,k,KBS(A,k))

• B concludes with CR
• k not confirmed to A
• Unless tagging
• B already knows A has k
• Exchange typical of repeated authentication
• B repeatedly request service from A
• but A is initiator!
• Similarly for NSSK-fix

KBS(A,k)
n n
k n
k (n1)
24
Recency with Timestamps

• Timestamp as bracketingdevice
• Requires loosely synchronizedclocks

25
Denning-Sacco
DS
A
S
B
A,B
n kt t
KAS(B,k,t,KBS(A,k,t))

• Use timestamp forrecency
• Guarantee recency to both A and B
• Same assurance as core NSSK-fix
• Only 3 messages

KBS(A,k,t)
26
Core Kerberos 4
K4core
A
S
B
A,B
n kt t
KAS(B,k,t,KBS(A,k,t))
t t

• NSSK
• key confirmation
• repeated authentication
• Timestamp ensures recency of each new request
• A is client and initiator
• Kerberos 4
• 2 rounds of core Kerberos
• Many more fields, options,

KBS(A,k,t), k(A,t)
k mt
27
Kerberos 5
K5core
A
S
B
A,B
KAS(B,k,t), KBS(A,k,t)
n kt t
t t

• Same developmentbut
• Start fromconcatenated variant of Denning Sacco

KBS(A,k,t), k(A,t)
k mt
28
Future Work
Current

• Define Secrecy Logic
• Authentication as assumptions
• Modular model of secrecy
• Dolev-Yao
• Information-theoretic
• Computational
• Apply to examples
• Diffie-Hellman hierarchy
• Full Kerberos 5
• PKINIT
• Implement within Kestrels PDA

Future